Tabletop Exercise Kit
KEV Exploitation Tabletop Kit
A 60–90 minute exercise for public-sector teams to practice decisions around emergency patching, downtime approval, compensating controls, and leadership communications when a known exploited vulnerability affects an important system.
Expected time
- Standard: 60–90 minutes
- Short version: 45 minutes
- Extended version: up to 2 hours with deeper hotwash
Best participants
- IT leadership
- security staff
- infrastructure or application owners
- executive sponsor / department leadership
- communications / PIO
What this exercise practices
- confirming exposure to a known exploited vulnerability
- identifying owners and service dependencies
- deciding whether to patch now, delay, isolate, or apply compensating controls
- approving downtime or emergency changes
- briefing leadership in plain English
- capturing follow-up actions for process improvement
Threat context
This exercise includes a fictional threat profile — Spectral Raccoon / APT-1337 — to provide a consistent scenario context for participants. The profile is used to support discussion and decision-making during the exercise; it is not intended to represent real-world attribution.
- Provides a clear, memorable threat context for the scenario
- Supports discussion of urgency, patch timing, and leadership communications
- Keeps the exercise focused on decisions, coordination, and follow-through
Recommended flow
- Review the facilitator guide and threat brief.
- Tailor the scenario to the real technology and services in your environment.
- Distribute the threat snapshot to participants.
- Run the injects and force clear decisions on downtime, patching, compensating controls, and communications.
- Capture follow-up actions in the hotwash.